<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/include/net, branch v3.18.22</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>ipv6: lock socket in ip6_datagram_connect()</title>
<updated>2015-09-28T22:57:01+00:00</updated>
<author>
<name>Eric Dumazet</name>
<email>edumazet@google.com</email>
</author>
<published>2015-07-14T06:10:22+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=4bbded3d6ce48179a0e7067305e5e33860f2c490'/>
<id>4bbded3d6ce48179a0e7067305e5e33860f2c490</id>
<content type='text'>
[ Upstream commit 03645a11a570d52e70631838cb786eb4253eb463 ]

ip6_datagram_connect() is doing a lot of socket changes without
socket being locked.

This looks wrong, at least for udp_lib_rehash() which could corrupt
lists because of concurrent udp_sk(sk)-&gt;udp_portaddr_hash accesses.

Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Acked-by: Herbert Xu &lt;herbert@gondor.apana.org.au&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Sasha Levin &lt;sasha.levin@oracle.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 03645a11a570d52e70631838cb786eb4253eb463 ]

ip6_datagram_connect() is doing a lot of socket changes without
socket being locked.

This looks wrong, at least for udp_lib_rehash() which could corrupt
lists because of concurrent udp_sk(sk)-&gt;udp_portaddr_hash accesses.

Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Acked-by: Herbert Xu &lt;herbert@gondor.apana.org.au&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Sasha Levin &lt;sasha.levin@oracle.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>sctp: fix ASCONF list handling</title>
<updated>2015-07-05T14:12:58+00:00</updated>
<author>
<name>Marcelo Ricardo Leitner</name>
<email>marcelo.leitner@gmail.com</email>
</author>
<published>2015-06-12T13:16:41+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=720e1669baa8f2658d737825e49edb018cf3aa1d'/>
<id>720e1669baa8f2658d737825e49edb018cf3aa1d</id>
<content type='text'>
[ Upstream commit 2d45a02d0166caf2627fe91897c6ffc3b19514c4 ]

-&gt;auto_asconf_splist is per namespace and mangled by functions like
sctp_setsockopt_auto_asconf() which doesn't guarantee any serialization.

Also, the call to inet_sk_copy_descendant() was backuping
-&gt;auto_asconf_list through the copy but was not honoring
-&gt;do_auto_asconf, which could lead to list corruption if it was
different between both sockets.

This commit thus fixes the list handling by using -&gt;addr_wq_lock
spinlock to protect the list. A special handling is done upon socket
creation and destruction for that. Error handlig on sctp_init_sock()
will never return an error after having initialized asconf, so
sctp_destroy_sock() can be called without addrq_wq_lock. The lock now
will be take on sctp_close_sock(), before locking the socket, so we
don't do it in inverse order compared to sctp_addr_wq_timeout_handler().

Instead of taking the lock on sctp_sock_migrate() for copying and
restoring the list values, it's preferred to avoid rewritting it by
implementing sctp_copy_descendant().

Issue was found with a test application that kept flipping sysctl
default_auto_asconf on and off, but one could trigger it by issuing
simultaneous setsockopt() calls on multiple sockets or by
creating/destroying sockets fast enough. This is only triggerable
locally.

Fixes: 9f7d653b67ae ("sctp: Add Auto-ASCONF support (core).")
Reported-by: Ji Jianwen &lt;jiji@redhat.com&gt;
Suggested-by: Neil Horman &lt;nhorman@tuxdriver.com&gt;
Suggested-by: Hannes Frederic Sowa &lt;hannes@stressinduktion.org&gt;
Acked-by: Hannes Frederic Sowa &lt;hannes@stressinduktion.org&gt;
Signed-off-by: Marcelo Ricardo Leitner &lt;marcelo.leitner@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Sasha Levin &lt;sasha.levin@oracle.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 2d45a02d0166caf2627fe91897c6ffc3b19514c4 ]

-&gt;auto_asconf_splist is per namespace and mangled by functions like
sctp_setsockopt_auto_asconf() which doesn't guarantee any serialization.

Also, the call to inet_sk_copy_descendant() was backuping
-&gt;auto_asconf_list through the copy but was not honoring
-&gt;do_auto_asconf, which could lead to list corruption if it was
different between both sockets.

This commit thus fixes the list handling by using -&gt;addr_wq_lock
spinlock to protect the list. A special handling is done upon socket
creation and destruction for that. Error handlig on sctp_init_sock()
will never return an error after having initialized asconf, so
sctp_destroy_sock() can be called without addrq_wq_lock. The lock now
will be take on sctp_close_sock(), before locking the socket, so we
don't do it in inverse order compared to sctp_addr_wq_timeout_handler().

Instead of taking the lock on sctp_sock_migrate() for copying and
restoring the list values, it's preferred to avoid rewritting it by
implementing sctp_copy_descendant().

Issue was found with a test application that kept flipping sysctl
default_auto_asconf on and off, but one could trigger it by issuing
simultaneous setsockopt() calls on multiple sockets or by
creating/destroying sockets fast enough. This is only triggerable
locally.

Fixes: 9f7d653b67ae ("sctp: Add Auto-ASCONF support (core).")
Reported-by: Ji Jianwen &lt;jiji@redhat.com&gt;
Suggested-by: Neil Horman &lt;nhorman@tuxdriver.com&gt;
Suggested-by: Hannes Frederic Sowa &lt;hannes@stressinduktion.org&gt;
Acked-by: Hannes Frederic Sowa &lt;hannes@stressinduktion.org&gt;
Signed-off-by: Marcelo Ricardo Leitner &lt;marcelo.leitner@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Sasha Levin &lt;sasha.levin@oracle.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>netfilter: nf_qeueue: Drop queue entries on nf_unregister_hook</title>
<updated>2015-07-05T14:12:48+00:00</updated>
<author>
<name>Eric W. Biederman</name>
<email>ebiederm@xmission.com</email>
</author>
<published>2015-06-19T19:03:39+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=b396bdb5f1e1692d38b2c2d11c67c7fc182546b7'/>
<id>b396bdb5f1e1692d38b2c2d11c67c7fc182546b7</id>
<content type='text'>
[ Upstream commit 8405a8fff3f8545c888a872d6e3c0c8eecd4d348 ]

Add code to nf_unregister_hook to flush the nf_queue when a hook is
unregistered.  This guarantees that the pointer that the nf_queue code
retains into the nf_hook list will remain valid while a packet is
queued.

I tested what would happen if we do not flush queued packets and was
trivially able to obtain the oops below.  All that was required was
to stop the nf_queue listening process, to delete all of the nf_tables,
and to awaken the nf_queue listening process.

&gt; BUG: unable to handle kernel paging request at 0000000100000001
&gt; IP: [&lt;0000000100000001&gt;] 0x100000001
&gt; PGD b9c35067 PUD 0
&gt; Oops: 0010 [#1] SMP
&gt; Modules linked in:
&gt; CPU: 0 PID: 519 Comm: lt-nfqnl_test Not tainted
&gt; task: ffff8800b9c8c050 ti: ffff8800ba9d8000 task.ti: ffff8800ba9d8000
&gt; RIP: 0010:[&lt;0000000100000001&gt;]  [&lt;0000000100000001&gt;] 0x100000001
&gt; RSP: 0018:ffff8800ba9dba40  EFLAGS: 00010a16
&gt; RAX: ffff8800bab48a00 RBX: ffff8800ba9dba90 RCX: ffff8800ba9dba90
&gt; RDX: ffff8800b9c10128 RSI: ffff8800ba940900 RDI: ffff8800bab48a00
&gt; RBP: ffff8800b9c10128 R08: ffffffff82976660 R09: ffff8800ba9dbb28
&gt; R10: dead000000100100 R11: dead000000200200 R12: ffff8800ba940900
&gt; R13: ffffffff8313fd50 R14: ffff8800b9c95200 R15: 0000000000000000
&gt; FS:  00007fb91fc34700(0000) GS:ffff8800bfa00000(0000) knlGS:0000000000000000
&gt; CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
&gt; CR2: 0000000100000001 CR3: 00000000babfb000 CR4: 00000000000007f0
&gt; Stack:
&gt;  ffffffff8206ab0f ffffffff82982240 ffff8800bab48a00 ffff8800b9c100a8
&gt;  ffff8800b9c10100 0000000000000001 ffff8800ba940900 ffff8800b9c10128
&gt;  ffffffff8206bd65 ffff8800bfb0d5e0 ffff8800bab48a00 0000000000014dc0
&gt; Call Trace:
&gt;  [&lt;ffffffff8206ab0f&gt;] ? nf_iterate+0x4f/0xa0
&gt;  [&lt;ffffffff8206bd65&gt;] ? nf_reinject+0x125/0x190
&gt;  [&lt;ffffffff8206dee5&gt;] ? nfqnl_recv_verdict+0x255/0x360
&gt;  [&lt;ffffffff81386290&gt;] ? nla_parse+0x80/0xf0
&gt;  [&lt;ffffffff8206c42c&gt;] ? nfnetlink_rcv_msg+0x13c/0x240
&gt;  [&lt;ffffffff811b2fec&gt;] ? __memcg_kmem_get_cache+0x4c/0x150
&gt;  [&lt;ffffffff8206c2f0&gt;] ? nfnl_lock+0x20/0x20
&gt;  [&lt;ffffffff82068159&gt;] ? netlink_rcv_skb+0xa9/0xc0
&gt;  [&lt;ffffffff820677bf&gt;] ? netlink_unicast+0x12f/0x1c0
&gt;  [&lt;ffffffff82067ade&gt;] ? netlink_sendmsg+0x28e/0x650
&gt;  [&lt;ffffffff81fdd814&gt;] ? sock_sendmsg+0x44/0x50
&gt;  [&lt;ffffffff81fde07b&gt;] ? ___sys_sendmsg+0x2ab/0x2c0
&gt;  [&lt;ffffffff810e8f73&gt;] ? __wake_up+0x43/0x70
&gt;  [&lt;ffffffff8141a134&gt;] ? tty_write+0x1c4/0x2a0
&gt;  [&lt;ffffffff81fde9f4&gt;] ? __sys_sendmsg+0x44/0x80
&gt;  [&lt;ffffffff823ff8d7&gt;] ? system_call_fastpath+0x12/0x6a
&gt; Code:  Bad RIP value.
&gt; RIP  [&lt;0000000100000001&gt;] 0x100000001
&gt;  RSP &lt;ffff8800ba9dba40&gt;
&gt; CR2: 0000000100000001
&gt; ---[ end trace 08eb65d42362793f ]---

Cc: stable@vger.kernel.org
Signed-off-by: "Eric W. Biederman" &lt;ebiederm@xmission.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Sasha Levin &lt;sasha.levin@oracle.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 8405a8fff3f8545c888a872d6e3c0c8eecd4d348 ]

Add code to nf_unregister_hook to flush the nf_queue when a hook is
unregistered.  This guarantees that the pointer that the nf_queue code
retains into the nf_hook list will remain valid while a packet is
queued.

I tested what would happen if we do not flush queued packets and was
trivially able to obtain the oops below.  All that was required was
to stop the nf_queue listening process, to delete all of the nf_tables,
and to awaken the nf_queue listening process.

&gt; BUG: unable to handle kernel paging request at 0000000100000001
&gt; IP: [&lt;0000000100000001&gt;] 0x100000001
&gt; PGD b9c35067 PUD 0
&gt; Oops: 0010 [#1] SMP
&gt; Modules linked in:
&gt; CPU: 0 PID: 519 Comm: lt-nfqnl_test Not tainted
&gt; task: ffff8800b9c8c050 ti: ffff8800ba9d8000 task.ti: ffff8800ba9d8000
&gt; RIP: 0010:[&lt;0000000100000001&gt;]  [&lt;0000000100000001&gt;] 0x100000001
&gt; RSP: 0018:ffff8800ba9dba40  EFLAGS: 00010a16
&gt; RAX: ffff8800bab48a00 RBX: ffff8800ba9dba90 RCX: ffff8800ba9dba90
&gt; RDX: ffff8800b9c10128 RSI: ffff8800ba940900 RDI: ffff8800bab48a00
&gt; RBP: ffff8800b9c10128 R08: ffffffff82976660 R09: ffff8800ba9dbb28
&gt; R10: dead000000100100 R11: dead000000200200 R12: ffff8800ba940900
&gt; R13: ffffffff8313fd50 R14: ffff8800b9c95200 R15: 0000000000000000
&gt; FS:  00007fb91fc34700(0000) GS:ffff8800bfa00000(0000) knlGS:0000000000000000
&gt; CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
&gt; CR2: 0000000100000001 CR3: 00000000babfb000 CR4: 00000000000007f0
&gt; Stack:
&gt;  ffffffff8206ab0f ffffffff82982240 ffff8800bab48a00 ffff8800b9c100a8
&gt;  ffff8800b9c10100 0000000000000001 ffff8800ba940900 ffff8800b9c10128
&gt;  ffffffff8206bd65 ffff8800bfb0d5e0 ffff8800bab48a00 0000000000014dc0
&gt; Call Trace:
&gt;  [&lt;ffffffff8206ab0f&gt;] ? nf_iterate+0x4f/0xa0
&gt;  [&lt;ffffffff8206bd65&gt;] ? nf_reinject+0x125/0x190
&gt;  [&lt;ffffffff8206dee5&gt;] ? nfqnl_recv_verdict+0x255/0x360
&gt;  [&lt;ffffffff81386290&gt;] ? nla_parse+0x80/0xf0
&gt;  [&lt;ffffffff8206c42c&gt;] ? nfnetlink_rcv_msg+0x13c/0x240
&gt;  [&lt;ffffffff811b2fec&gt;] ? __memcg_kmem_get_cache+0x4c/0x150
&gt;  [&lt;ffffffff8206c2f0&gt;] ? nfnl_lock+0x20/0x20
&gt;  [&lt;ffffffff82068159&gt;] ? netlink_rcv_skb+0xa9/0xc0
&gt;  [&lt;ffffffff820677bf&gt;] ? netlink_unicast+0x12f/0x1c0
&gt;  [&lt;ffffffff82067ade&gt;] ? netlink_sendmsg+0x28e/0x650
&gt;  [&lt;ffffffff81fdd814&gt;] ? sock_sendmsg+0x44/0x50
&gt;  [&lt;ffffffff81fde07b&gt;] ? ___sys_sendmsg+0x2ab/0x2c0
&gt;  [&lt;ffffffff810e8f73&gt;] ? __wake_up+0x43/0x70
&gt;  [&lt;ffffffff8141a134&gt;] ? tty_write+0x1c4/0x2a0
&gt;  [&lt;ffffffff81fde9f4&gt;] ? __sys_sendmsg+0x44/0x80
&gt;  [&lt;ffffffff823ff8d7&gt;] ? system_call_fastpath+0x12/0x6a
&gt; Code:  Bad RIP value.
&gt; RIP  [&lt;0000000100000001&gt;] 0x100000001
&gt;  RSP &lt;ffff8800ba9dba40&gt;
&gt; CR2: 0000000100000001
&gt; ---[ end trace 08eb65d42362793f ]---

Cc: stable@vger.kernel.org
Signed-off-by: "Eric W. Biederman" &lt;ebiederm@xmission.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Sasha Levin &lt;sasha.levin@oracle.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>net: add sk_fullsock() helper</title>
<updated>2015-06-28T17:39:21+00:00</updated>
<author>
<name>Eric Dumazet</name>
<email>edumazet@google.com</email>
</author>
<published>2015-03-16T04:12:12+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=2ed8cb3d22b59eda73c203412d02add4d0901255'/>
<id>2ed8cb3d22b59eda73c203412d02add4d0901255</id>
<content type='text'>
[ Upstream commit 1d0ab253872cdd3d8e7913f59c266c7fd01771d0 ]

We have many places where we want to check if a socket is
not a timewait or request socket. Use a helper to avoid
hard coding this.

Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Sasha Levin &lt;sasha.levin@oracle.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 1d0ab253872cdd3d8e7913f59c266c7fd01771d0 ]

We have many places where we want to check if a socket is
not a timewait or request socket. Use a helper to avoid
hard coding this.

Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Sasha Levin &lt;sasha.levin@oracle.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>inet: add TCP_NEW_SYN_RECV state</title>
<updated>2015-06-28T17:39:21+00:00</updated>
<author>
<name>Eric Dumazet</name>
<email>edumazet@google.com</email>
</author>
<published>2015-03-12T23:44:04+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=bb5d5cc637187c20c0e1acadb472078363d83d84'/>
<id>bb5d5cc637187c20c0e1acadb472078363d83d84</id>
<content type='text'>
[ Upstream commit 10feb428a5045d5eb18a5d755fbb8f0cc9645626 ]

TCP_SYN_RECV state is currently used by fast open sockets.

Initial TCP requests (the pseudo sockets created when a SYN is received)
are not yet associated to a state. They are attached to their parent,
and the parent is in TCP_LISTEN state.

This commit adds TCP_NEW_SYN_RECV state, so that we can convert
TCP stack to a different schem gradually.

This state is not exported to user space.

Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Sasha Levin &lt;sasha.levin@oracle.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 10feb428a5045d5eb18a5d755fbb8f0cc9645626 ]

TCP_SYN_RECV state is currently used by fast open sockets.

Initial TCP requests (the pseudo sockets created when a SYN is received)
are not yet associated to a state. They are attached to their parent,
and the parent is in TCP_LISTEN state.

This commit adds TCP_NEW_SYN_RECV state, so that we can convert
TCP stack to a different schem gradually.

This state is not exported to user space.

Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Sasha Levin &lt;sasha.levin@oracle.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>tcp: fix child sockets to use system default congestion control if not set</title>
<updated>2015-06-15T18:26:53+00:00</updated>
<author>
<name>Neal Cardwell</name>
<email>ncardwell@google.com</email>
</author>
<published>2015-05-29T17:47:07+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=189debb56afd572f29cbd35abea68b4391185627'/>
<id>189debb56afd572f29cbd35abea68b4391185627</id>
<content type='text'>
[ Upstream commit 9f950415e4e28e7cfae2e416b43e862e8101d996 ]

Linux 3.17 and earlier are explicitly engineered so that if the app
doesn't specifically request a CC module on a listener before the SYN
arrives, then the child gets the system default CC when the connection
is established. See tcp_init_congestion_control() in 3.17 or earlier,
which says "if no choice made yet assign the current value set as
default". The change ("net: tcp: assign tcp cong_ops when tcp sk is
created") altered these semantics, so that children got their parent
listener's congestion control even if the system default had changed
after the listener was created.

This commit returns to those original semantics from 3.17 and earlier,
since they are the original semantics from 2007 in 4d4d3d1e8 ("[TCP]:
Congestion control initialization."), and some Linux congestion
control workflows depend on that.

In summary, if a listener socket specifically sets TCP_CONGESTION to
"x", or the route locks the CC module to "x", then the child gets
"x". Otherwise the child gets current system default from
net.ipv4.tcp_congestion_control. That's the behavior in 3.17 and
earlier, and this commit restores that.

Fixes: 55d8694fa82c ("net: tcp: assign tcp cong_ops when tcp sk is created")
Cc: Florian Westphal &lt;fw@strlen.de&gt;
Cc: Daniel Borkmann &lt;dborkman@redhat.com&gt;
Cc: Glenn Judd &lt;glenn.judd@morganstanley.com&gt;
Cc: Stephen Hemminger &lt;stephen@networkplumber.org&gt;
Signed-off-by: Neal Cardwell &lt;ncardwell@google.com&gt;
Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Signed-off-by: Yuchung Cheng &lt;ycheng@google.com&gt;
Acked-by: Daniel Borkmann &lt;daniel@iogearbox.net&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Sasha Levin &lt;sasha.levin@oracle.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 9f950415e4e28e7cfae2e416b43e862e8101d996 ]

Linux 3.17 and earlier are explicitly engineered so that if the app
doesn't specifically request a CC module on a listener before the SYN
arrives, then the child gets the system default CC when the connection
is established. See tcp_init_congestion_control() in 3.17 or earlier,
which says "if no choice made yet assign the current value set as
default". The change ("net: tcp: assign tcp cong_ops when tcp sk is
created") altered these semantics, so that children got their parent
listener's congestion control even if the system default had changed
after the listener was created.

This commit returns to those original semantics from 3.17 and earlier,
since they are the original semantics from 2007 in 4d4d3d1e8 ("[TCP]:
Congestion control initialization."), and some Linux congestion
control workflows depend on that.

In summary, if a listener socket specifically sets TCP_CONGESTION to
"x", or the route locks the CC module to "x", then the child gets
"x". Otherwise the child gets current system default from
net.ipv4.tcp_congestion_control. That's the behavior in 3.17 and
earlier, and this commit restores that.

Fixes: 55d8694fa82c ("net: tcp: assign tcp cong_ops when tcp sk is created")
Cc: Florian Westphal &lt;fw@strlen.de&gt;
Cc: Daniel Borkmann &lt;dborkman@redhat.com&gt;
Cc: Glenn Judd &lt;glenn.judd@morganstanley.com&gt;
Cc: Stephen Hemminger &lt;stephen@networkplumber.org&gt;
Signed-off-by: Neal Cardwell &lt;ncardwell@google.com&gt;
Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Signed-off-by: Yuchung Cheng &lt;ycheng@google.com&gt;
Acked-by: Daniel Borkmann &lt;daniel@iogearbox.net&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Sasha Levin &lt;sasha.levin@oracle.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>sctp: Fix mangled IPv4 addresses on a IPv6 listening socket</title>
<updated>2015-06-15T18:26:52+00:00</updated>
<author>
<name>Jason Gunthorpe</name>
<email>jgunthorpe@obsidianresearch.com</email>
</author>
<published>2015-05-26T23:30:17+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=a36102b2bb069c858a4be3457ba288208b4662b0'/>
<id>a36102b2bb069c858a4be3457ba288208b4662b0</id>
<content type='text'>
[ Upstream commit 9302d7bb0c5cd46be5706859301f18c137b2439f ]

sctp_v4_map_v6 was subtly writing and reading from members
of a union in a way the clobbered data it needed to read before
it read it.

Zeroing the v6 flowinfo overwrites the v4 sin_addr with 0, meaning
that every place that calls sctp_v4_map_v6 gets ::ffff:0.0.0.0 as the
result.

Reorder things to guarantee correct behaviour no matter what the
union layout is.

This impacts user space clients that open an IPv6 SCTP socket and
receive IPv4 connections. Prior to 299ee user space would see a
sockaddr with AF_INET and a correct address, after 299ee the sockaddr
is AF_INET6, but the address is wrong.

Fixes: 299ee123e198 (sctp: Fixup v4mapped behaviour to comply with Sock API)
Signed-off-by: Jason Gunthorpe &lt;jgunthorpe@obsidianresearch.com&gt;
Acked-by: Daniel Borkmann &lt;daniel@iogearbox.net&gt;
Acked-by: Neil Horman &lt;nhorman@tuxdriver.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Sasha Levin &lt;sasha.levin@oracle.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 9302d7bb0c5cd46be5706859301f18c137b2439f ]

sctp_v4_map_v6 was subtly writing and reading from members
of a union in a way the clobbered data it needed to read before
it read it.

Zeroing the v6 flowinfo overwrites the v4 sin_addr with 0, meaning
that every place that calls sctp_v4_map_v6 gets ::ffff:0.0.0.0 as the
result.

Reorder things to guarantee correct behaviour no matter what the
union layout is.

This impacts user space clients that open an IPv6 SCTP socket and
receive IPv4 connections. Prior to 299ee user space would see a
sockaddr with AF_INET and a correct address, after 299ee the sockaddr
is AF_INET6, but the address is wrong.

Fixes: 299ee123e198 (sctp: Fixup v4mapped behaviour to comply with Sock API)
Signed-off-by: Jason Gunthorpe &lt;jgunthorpe@obsidianresearch.com&gt;
Acked-by: Daniel Borkmann &lt;daniel@iogearbox.net&gt;
Acked-by: Neil Horman &lt;nhorman@tuxdriver.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Sasha Levin &lt;sasha.levin@oracle.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>xfrm: release dst_orig in case of error in xfrm_lookup()</title>
<updated>2015-06-10T17:42:46+00:00</updated>
<author>
<name>huaibin Wang</name>
<email>huaibin.wang@6wind.com</email>
</author>
<published>2015-02-11T17:10:36+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=25798d3d216334361a51ac37429a83c1faa5e97d'/>
<id>25798d3d216334361a51ac37429a83c1faa5e97d</id>
<content type='text'>
[ Upstream commit ac37e2515c1a89c477459a2020b6bfdedabdb91b ]

dst_orig should be released on error. Function like __xfrm_route_forward()
expects that behavior.
Since a recent commit, xfrm_lookup() may also be called by xfrm_lookup_route(),
which expects the opposite.
Let's introduce a new flag (XFRM_LOOKUP_KEEP_DST_REF) to tell what should be
done in case of error.

Fixes: f92ee61982d("xfrm: Generate blackhole routes only from route lookup functions")
Signed-off-by: huaibin Wang &lt;huaibin.wang@6wind.com&gt;
Signed-off-by: Nicolas Dichtel &lt;nicolas.dichtel@6wind.com&gt;
Signed-off-by: Steffen Klassert &lt;steffen.klassert@secunet.com&gt;
Signed-off-by: Sasha Levin &lt;sasha.levin@oracle.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit ac37e2515c1a89c477459a2020b6bfdedabdb91b ]

dst_orig should be released on error. Function like __xfrm_route_forward()
expects that behavior.
Since a recent commit, xfrm_lookup() may also be called by xfrm_lookup_route(),
which expects the opposite.
Let's introduce a new flag (XFRM_LOOKUP_KEEP_DST_REF) to tell what should be
done in case of error.

Fixes: f92ee61982d("xfrm: Generate blackhole routes only from route lookup functions")
Signed-off-by: huaibin Wang &lt;huaibin.wang@6wind.com&gt;
Signed-off-by: Nicolas Dichtel &lt;nicolas.dichtel@6wind.com&gt;
Signed-off-by: Steffen Klassert &lt;steffen.klassert@secunet.com&gt;
Signed-off-by: Sasha Levin &lt;sasha.levin@oracle.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ipv6: protect skb-&gt;sk accesses from recursive dereference inside the stack</title>
<updated>2015-04-27T20:48:28+00:00</updated>
<author>
<name>hannes@stressinduktion.org</name>
<email>hannes@stressinduktion.org</email>
</author>
<published>2015-04-01T15:07:44+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=c8c30b2b17f2133e953850c547e3902c3a3d80e2'/>
<id>c8c30b2b17f2133e953850c547e3902c3a3d80e2</id>
<content type='text'>
[ Upstream commit f60e5990d9c1424af9dbca60a23ba2a1c7c1ce90 ]

We should not consult skb-&gt;sk for output decisions in xmit recursion
levels &gt; 0 in the stack. Otherwise local socket settings could influence
the result of e.g. tunnel encapsulation process.

ipv6 does not conform with this in three places:

1) ip6_fragment: we do consult ipv6_npinfo for frag_size

2) sk_mc_loop in ipv6 uses skb-&gt;sk and checks if we should
   loop the packet back to the local socket

3) ip6_skb_dst_mtu could query the settings from the user socket and
   force a wrong MTU

Furthermore:
In sk_mc_loop we could potentially land in WARN_ON(1) if we use a
PF_PACKET socket ontop of an IPv6-backed vxlan device.

Reuse xmit_recursion as we are currently only interested in protecting
tunnel devices.

Cc: Jiri Pirko &lt;jiri@resnulli.us&gt;
Signed-off-by: Hannes Frederic Sowa &lt;hannes@stressinduktion.org&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Sasha Levin &lt;sasha.levin@oracle.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit f60e5990d9c1424af9dbca60a23ba2a1c7c1ce90 ]

We should not consult skb-&gt;sk for output decisions in xmit recursion
levels &gt; 0 in the stack. Otherwise local socket settings could influence
the result of e.g. tunnel encapsulation process.

ipv6 does not conform with this in three places:

1) ip6_fragment: we do consult ipv6_npinfo for frag_size

2) sk_mc_loop in ipv6 uses skb-&gt;sk and checks if we should
   loop the packet back to the local socket

3) ip6_skb_dst_mtu could query the settings from the user socket and
   force a wrong MTU

Furthermore:
In sk_mc_loop we could potentially land in WARN_ON(1) if we use a
PF_PACKET socket ontop of an IPv6-backed vxlan device.

Reuse xmit_recursion as we are currently only interested in protecting
tunnel devices.

Cc: Jiri Pirko &lt;jiri@resnulli.us&gt;
Signed-off-by: Hannes Frederic Sowa &lt;hannes@stressinduktion.org&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Sasha Levin &lt;sasha.levin@oracle.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>cipso: don't use IPCB() to locate the CIPSO IP option</title>
<updated>2015-03-06T22:52:59+00:00</updated>
<author>
<name>Paul Moore</name>
<email>pmoore@redhat.com</email>
</author>
<published>2015-02-11T19:46:37+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=e5b55e1b0938c35edc60a3b4cc954e8ee641fde5'/>
<id>e5b55e1b0938c35edc60a3b4cc954e8ee641fde5</id>
<content type='text'>
commit 04f81f0154e4bf002be6f4d85668ce1257efa4d9 upstream.

Using the IPCB() macro to get the IPv4 options is convenient, but
unfortunately NetLabel often needs to examine the CIPSO option outside
of the scope of the IP layer in the stack.  While historically IPCB()
worked above the IP layer, due to the inclusion of the inet_skb_param
struct at the head of the {tcp,udp}_skb_cb structs, recent commit
971f10ec ("tcp: better TCP_SKB_CB layout to reduce cache line misses")
reordered the tcp_skb_cb struct and invalidated this IPCB() trick.

This patch fixes the problem by creating a new function,
cipso_v4_optptr(), which locates the CIPSO option inside the IP header
without calling IPCB().  Unfortunately, this isn't as fast as a simple
lookup so some additional tweaks were made to limit the use of this
new function.

Reported-by: Casey Schaufler &lt;casey@schaufler-ca.com&gt;
Signed-off-by: Paul Moore &lt;pmoore@redhat.com&gt;
Tested-by: Casey Schaufler &lt;casey@schaufler-ca.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 04f81f0154e4bf002be6f4d85668ce1257efa4d9 upstream.

Using the IPCB() macro to get the IPv4 options is convenient, but
unfortunately NetLabel often needs to examine the CIPSO option outside
of the scope of the IP layer in the stack.  While historically IPCB()
worked above the IP layer, due to the inclusion of the inet_skb_param
struct at the head of the {tcp,udp}_skb_cb structs, recent commit
971f10ec ("tcp: better TCP_SKB_CB layout to reduce cache line misses")
reordered the tcp_skb_cb struct and invalidated this IPCB() trick.

This patch fixes the problem by creating a new function,
cipso_v4_optptr(), which locates the CIPSO option inside the IP header
without calling IPCB().  Unfortunately, this isn't as fast as a simple
lookup so some additional tweaks were made to limit the use of this
new function.

Reported-by: Casey Schaufler &lt;casey@schaufler-ca.com&gt;
Signed-off-by: Paul Moore &lt;pmoore@redhat.com&gt;
Tested-by: Casey Schaufler &lt;casey@schaufler-ca.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
</feed>
